The Internal Revenue Service (IRS), state tax agencies, and the tax industry have announced a recent increase in email scams targeting employee forms W-2. Forms W-2 contain potentially sensitive information including an employee’s name, address, Social Security number, income, and withholdings.
The IRS reported a sharp increase in the number of scam incidents and victims during the 2017 filing season: the number of businesses, public schools, universities, tribal governments and nonprofits victimized by the W-2 scam increased to 200 (from 50 in 2016), translating into several hundred thousand employees whose sensitive data was stolen. In February, the IRS issued an urgent alert that the scam was targeting school districts, tribal organizations, and nonprofits; previously, the scammers had focused on for-profit corporations.
Earlier this year, the Federal Bureau of Investigation (FBI) reported a 1,300% increase in identified losses – with more than $3 billion in wire transfers – since January 2015 through the same kind of scam known as business e-mail compromise (BEC) or CEO impersonation.
Here’s how the W-2 scam typically works. Fraudsters send a fake email pretending to be from a high-level corporate employee, like a CEO, requesting a information about employee forms W-2 from a company’s payroll or human resources departments. The emails typically ask for the forms W-2 and earnings summary of all W-2 employees or an updated list of employees with their details including Social Security Number, home address, and salary. Just like that, the scammers can capture all of the data for an entire company.
Instead of – or in addition to – tax data, thieves posing as the CEO may request that the employee make an immediate wire transfer from the company, usually to a trusted vendor. Of course, those tax forms and possibly hundreds of thousands of dollars end up in the hands of thieves.
To be convincing, the thieves, posing as the CEO, may access the company’s network through a spear-phishing attack and the use of malware in advance of the scam. They familiarize themselves with the company’s vendors and billing systems, as well as the CEO’s style of e-mail communication and possibly, the CEO’s travel schedule. Access to this kind of information makes it easier to trick employees into complying with requests.
So why would the thieves familiarize themselves with the CEO’s travel schedule? To limit the possibility that employees would ask questions directly. Don’t fall for it, advises the FBI. According to Martin Licciardo, special agent, FBI Washington Field Office, “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
“These are incredibly tricky schemes that can be devastating to a tax professional or business,” said IRS Commissioner John Koskinen. “Cybercriminals target people with access to sensitive information, and they cleverly disguise their effort through an official-looking email request.”
That information – typically those forms W-2 – may be used to file fraudulent tax returns. Additionally, your personal information is marketable, and it can be posted for sale on the Dark Net (read more on the identity theft industry here).
Businesses and organizations which have been affected by the scheme should report the theft of the W-2 data to the IRS to dataloss@irs.gov. Be sure to include “W-2 scam” in the subject line and information about a point of contact in the body of the email. You should also report the theft to the FBI at the Internet Crime Complaint Center (IC3).
Businesses and organizations which have received a suspicious email but did not respond with information should forward the email to phishing@irs.gov with “W-2 scam” in the subject line.
If you are an employee whose form W-2 has been stolen, you should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. If your form W-2 was stolen and your tax return is kicked back during tax season, you should file a form 14039, Identity Theft Affidavit (downloads as a pdf).
The IRS urges employers, including tax practitioners, to review their policies for sending sensitive data such as forms W-2 or making wire transfers based on an email request. Consider requiring employees to confirm requests for forms W-2, wire transfers or any sensitive data exchanges verbally, using previously-known telephone numbers, not telephone numbers listed in the email. Requests for location changes in vendor payments should require a secondary sign-off by company personnel. Additionally, consult with an IT professional to ensure that your systems are secure.
The FBI recommends that companies create “intrusion detection system rules” that flag e-mails with extensions that are similar to company email meant to trick employees. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com. The FBI also suggests that you create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown. Finally, consider color coding virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
Don’t fall for the tricks. Keep your personal information safe by remaining alert. For tips on protecting yourself from identity theft-related tax fraud, click here.